Monero miner found in third-party Kodi add-ons for Linux and Windows

The now-shuttered XvBMC and Bubbles third-party add-on repositories, along with the still operating Gaia, have been hosting more than just software products, as researchers have discovered these sites have been abused to propagate a cryptomining campaign centered on the popular open-source media player Kodi.

ESET researchers have reported that the three add-on repositories, two of which were forced to shut down over copyright infringement issues, had been housing third party Kodi add-ons containing mining malware. Kodi add-ons have caught some flak in the past for allowing users to access pirated content and have in one other case been used to spread malware — in that case, a DDoS module.

Rod Soto, director of security research at JASK, described the campaign as a great example of cybercriminals’ creativity.

“This is an interesting attack vector as the Kodi media player is usually present across many platforms — from computers to other IoT devices,” Soto told SC Media. “Plus, those using the software don’t usually check the code and simply download attractive add-ons, such as ones that give users access to TV channels not available from mainstream providers, making them widely used.”

The cryptocurrency mining campaign was first recognized when malware found in XvBMC was linked back to Bubbles and Gaia in December. These then spread through the update routines of unsuspecting users of other third-party Kodi add-ons and ready-made Kodi builds, ESET said.

The miner, which digs Monero, has a multi-stage design and deploys countermeasures to help it deliver the cryptomining payload to Windows and Linux devices, but so far it has ignored Apple and Android.

The malware is spread three different ways, but all center on Kodi.

The first adds the URL of a malicious repository to the victims’ Kodi installation, allowing the mining add-on to be installed whenever the Kodi add-on is updated. The second method sees the threat actor creating a ready-made Kodi build that contains the URL of one of the three repositories and again the malicious add-on is added whenever Kodi is updated. The third also involves a ready-to-install Kodi build, but this one already contains the malicious add-on with no need to download it from another source.

So far most victims have been in the United States, Israel, Greece, the United Kingdom and the Netherlands, which ESET said makes sense since these nations are among the highest users of Kodi add-ons.

Even though the primary repositories responsible for spreading the mine are shut down or clean, ESET warned the malware can be found in other add-on repositories and many people who unwittingly downloaded the miner are likely still generating money for the criminals behind the campaign.